← Back to Leafy

Privacy Policy

Straight talk about your data — for the website and the Mac app.

Last updated: July 2026

Your privacy matters. Below is what we collect, why, how long we keep it, and what you can do about it. This policy applies together with our Terms of Service.

1. Who is responsible for your data?

Data controller: Jtobin (individual developer), operating Leafy.

Official website: https://leafyapp.uk

Contact: binjto@gmail.com

For privacy-related questions, data-subject requests, or complaints, use the email above.

2. Data collected on this website

2a. Beta signup form (removed)

The beta signup form has been removed — downloading Leafy requires no account and no email address. If you signed up while the form existed, we keep your email address only to notify you about beta access, until the beta program concludes or you request deletion (see section 6).

2b. Website feedback form

When you send feedback from the homepage, we collect:

Feedback is handled entirely on our own Cloudflare infrastructure: it is stored in our Cloudflare database and forwarded to our inbox via Cloudflare Email Routing. No third-party form or email service is involved. To limit abuse, submissions are rate-limited per day using a salted one-way hash of your IP address — the same approach as translation voting (section 2c); your raw IP address is not stored.

2c. Community translation voting ("Translate")

When you use Translate to suggest or vote on app UI translations, we collect:

This data is stored in a Cloudflare D1 database hosted by Cloudflare. English source strings are also stored there for the voting UI. We do not ask for your name or email on this page.

When you load or interact with the Translate page, your browser sends requests to our Cloudflare Worker API. Cloudflare may process connection metadata (including IP address) as part of hosting and security.

2d. Browser storage on the website

We do not use advertising cookies or analytics trackers on this website. We use browser localStorage only to remember that you dismissed the privacy notice. This data stays on your device and is not transmitted to us. (Feedback rate limits are enforced on our server using a hashed IP address, as described in section 2b — nothing is stored in your browser for this.)

All website scripts (including animation libraries and form helpers) are served from our own domain — we do not load JavaScript from third-party CDNs on page load.

3. Data collected by the macOS app

3a. Local storage — stays on your device

All of the following is stored only on your Mac. Leafy has no user accounts and no sync server, so your library is never uploaded to or kept on any server as stored data:

Note: when you scan or look up a word, the text of that query is transmitted for AI processing as described in section 3b below. The resulting definitions and examples are saved to the library on your device; in addition, an anonymous copy of the AI response (not linked to you or your library) may be cached on our proxy as described in section 3b.

3b. Text sent for AI processing

When you use the word scanner, lookup, or translation features, the text you scan or query is sent to a third-party AI service via a secure Cloudflare proxy, solely to generate a response. No name, account, or device identifier is attached to these requests, and our proxy never stores the text of your query as a readable cache key. The AI response is cached temporarily, as described below; for single-word lookups, that response naturally contains the word that was looked up. Longer scanned passages, sentence explanations, and full-text translations are never cached at all.

AI service used:

International transfer to China: DeepSeek processes requests on servers located in the People's Republic of China, outside the European Economic Area. This is a systematic transfer that occurs each time you use these AI features — not an occasional transfer.

We rely on your explicit consent (GDPR Article 6(1)(a) and Article 49(1)(a)) for this transfer. By using AI lookup, scan, or translation features in the app, you consent to your queried text being sent to DeepSeek in China for processing. You can avoid this transfer by not using those features.

We attach no name, account, or device identifier to these requests. The content of the transferred text, however, is whatever you choose to scan or type — if you scan text that contains personal details (such as names, addresses, medical information, or private messages), those details will be sent for processing like any other query. Please avoid scanning text that contains personal or sensitive information. DeepSeek's handling of the request on its own servers is governed by its privacy policy linked above.

Caching: To reduce the number of requests sent to the service, AI responses to identical queries are cached on Cloudflare for up to 12 months. The cache key is a one-way content hash salted with a server-side secret, so the query text is not stored as a readable key and cannot be reconstructed or enumerated without that secret. Each cached entry contains the AI response text together with a one-way hashed IP marker of the request that created it (the same irreversible hashing described in section 3c), used only to avoid re-serving certain generated content to its original requester. No raw IP address, email, or other identity is stored in the cache.

3c. IP address (hashed)

To enforce daily usage limits and to record your interest vote (one vote per device), your IP address is processed as a one-way SHA-256 hash before being stored. The original IP address is never stored and cannot be recovered from the hash. IPv6 addresses are normalised to their /64 network prefix before hashing, so temporary privacy-extension addresses from the same device are treated as one.

Usage counters expire automatically after 25 hours. Vote records are kept until you cancel your vote.

3d. Anonymous usage analytics

The app uses PostHog to collect privacy-first usage signals that help us understand how features are used and where errors occur. Automatic app-lifecycle and screen-view capture are disabled. Events are limited to pseudonymous feature-usage signals — for example: app launched, scan started / completed / failed, word saved, import completed, folder created or renamed, study language selected, offline dictionary downloaded, and AI request failures (a generic error tag and which endpoint failed). Each event carries coarse technical context such as the app version, macOS version, and device model (e.g. "MacBook Pro"), under a random install identifier that is not linked to your name, email, or any account. No vocabulary content, scanned text, or email address is ever sent. PostHog is based in the United States and processes these events on its U.S. servers. As with any network request, your device's IP address is briefly visible to PostHog when an event is sent and may be used for coarse, country-level location statistics — we do not use it to profile you or to connect your usage to a real-world identity. See the PostHog Privacy Policy.

This is entirely optional. You can turn anonymous analytics off at any time in the app under Settings → About; when turned off, no signals are sent at all.

3e. Crash reports

The app uses Sentry to automatically report crashes and certain non-fatal technical errors (for example, a failure to save your library file to disk). Reports contain the stack trace, app version, macOS version, and a short technical description of the problem. Such descriptions can include file-system paths; because a path may reveal your macOS account name, newer app versions redact the account-name portion of paths before sending. No vocabulary content or scanned text is included in reports. See the Sentry Privacy Policy.

3f. App update checks

The app uses Sparkle to check for updates. Your current app version and build number are sent to our update server to determine whether a newer version is available. No personal data is transmitted.

3g. Screen Recording permission

The word scanner requires macOS Screen Recording permission to capture on-screen text. Screenshots are processed instantly on-device by OCR and are never saved, uploaded, or shared.

4. How we use your data

5. Legal basis (GDPR)

International transfers (summary):

You may withdraw consent at any time by contacting binjto@gmail.com, and you may object to analytics at any time by turning it off in the app's Settings. Withdrawing consent or objecting does not affect prior processing that was lawful at the time.

6. How long we keep your data

7. Third-party services (website)

Website JavaScript libraries are self-hosted on our domain. We do not load scripts from third-party CDNs when you visit our pages.

8. Children

Leafy is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you are between 13 and the age of digital consent in your country (up to 16 in some regions), you should use Leafy only with the consent of a parent or legal guardian. If you believe we have received data from a child, contact us and we will delete it promptly. See also our Terms of Service.

9. Your rights (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, you have the right to:

To exercise any of these rights, email binjto@gmail.com. We will respond within 30 days.

Please note: because IP addresses are stored only as irreversible hashes, we cannot identify or retrieve data associated with a specific IP address or browser session. These rights apply most directly to data you have explicitly provided to us, such as your email address or translation suggestion text you can identify.

10. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

To submit a request, email binjto@gmail.com. We will verify and respond as required by law.

11. Changes to this policy

If we make significant changes, we will update the "Last updated" date at the top of this page.

12. Contact

Questions or concerns? Email us at binjto@gmail.com.